Re: How automate firewall tests

["Paul D. Robertson" <paul () compuwar net>]

On Mon, 21 Aug 2006, Patrick M. Hausen wrote:

> Hi, Paul!

Hi Patrick!

> > > Blocking ICMP completely breaks PMTUD. Which leads to all
> > > sorts of "funny" breakage from the end users point of view.
> >
> > Surely you're in full control of the MTU between your firewall and 
> > external router?  Letting the border router deal with PMTU isn't 
> > necessarily a bad thing.
>
> I'm not in control of the MTU along the entire path from
> server to client. PMTUD is an endpoint mechanism.

Sure, but not many folks are downstream of small MTU serial links anymore, 
so if you set your external link to frag at 1492 or less (down to the 
minumum of 576 if you'd like ~100% success,) and allow your router to send 
ICMP to your server, then you're likely to not to have PMTU issues if you 
simply don't allow external spoofing of your internal interface.

> Or did I get you completely wrong? I'm thinking of e.g.
> firewall protected public web servers. If you block ICMP,
> clients that try to access them with a smaller MTU than
> whatever the server's local interface has got will fail.

But since you control PMTU on your network, you can simply shrink it 
enough and allow the ICMP traffic between trusted nodes only.  Solves the 
problem.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
http://fora.compuwar.net      Infosec discussion boards 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards